Slashdot Mirror

← Back to Stories (view on slashdot.org)

Longhorn Will Have Ability to Ban External Storage Devices

Posted by michael on from the no-ipod-for-you dept.

slashdotbs writes "CNET is reporting that Microsoft will allow IT managers to block devices such as USB memory keys and - shockingly! - iPods. The article refers to 'the threat posed by digital storage devices'."

33 of 721 comments (clear)

  1. ban in sp2 by Davak · · Score: 5, Informative

    Block access to USB keys?

    Hell, we can do that now!

    Remember that SP2 has several new longhorn "features" that were rushed into the service pack in the name of security.

    Davak

    1. Re:ban in sp2 by badriram · · Score: 2, Informative

      Sort of that only prevents writing to the disks, but does not prevent a usb storage device being pluged in. But this setting alone should be more than adequate for most people.

    2. Re:ban in sp2 by kikta · · Score: 4, Informative
      From the article:

      Microsoft did include a workaround in Windows XP Service Pack 2 that lets users change an internal Windows setting to prevent data from being written to USB devices. But the features planned for Longhorn will be more comprehensive.

      Reading is fun. ;-)
    3. Re:ban in sp2 by Krelnik · · Score: 4, Informative
      >> Reading is fun

      That text about SP2 was NOT in the CNET article when it was first posted. They revised it as the result of comments on their own message board.

  2. Whats so shocking? by badriram · · Score: 2, Informative

    iPod acts just like any other USB storage device on Windows. It is still a security issue.

  3. Will it also ban Knoppix? by boinger · · Score: 1, Informative

    Just boot to Knoppix and do what you please. Or zip [whatever] up, tunnel through port 53 and email or scp it to yourself. If you're determined, this isn't a big deal. Of course, this is obviously designed to stop Sales Drones and Marketroids from wasting time on the clock. And based on what I see here at my company...FINALLY!

    --
    Send your friends messages of love at fuck-you.org
  4. What is the big deal? by kidventus · · Score: 5, Informative


    Microsoft since 2000 has always had Group Policy definitions to restrict CD burning and Floppy use on certain PCs, why is this such a big deal? Because it has the word "iPod" in the article?
    It's not like every IT department is going to start locking down USB keys.. it takes one employee complaining to their manager they can't take their uber-important files home to work on at night to get things like this reversed anyway.
    Nail biters don't bother.. it's just a slow news day for Slashdot :-)

    --
    There is a rage in me to defy the order of the stars, despite their pretty patterns.
  5. Windows XP already has this by stevel · · Score: 2, Informative

    Windows XP SP2 already has this. The referenced article describes a larger new feature that would include this as a subset, but "the future is today" regarding IT admins being able to lock out USB storage devices.

  6. Somewhat of a good idea by TheRealMindChild · · Score: 4, Informative

    While I personally believe this is a good thing, often these things can be circumvented easily by... booting a knoppix CD. Of course a modern BIOS will allow you to restrict booting from a floppy (yes I know... I am the only person who still uses these), or a CDRom, but all can be undone with 30 seconds and enough balls to open your case. Even then, Im sure there is some trick to purge the CMOS without ever cracking the case.

    --

    "When life gives you lemons, don't make lemonade. Make life take the lemons back!" -- Cave Johnson
  7. HIPAA by charnov · · Score: 4, Informative

    I worked on a project where we had to remove every USB, firewire, CDROM, and floppy drive along with sheathing all the plugs and sealing all the connections on hundreds of computers to satisfy some of the more stringent controls required in HIPAA (HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT OF 1996) that no unauthorised persons be able to access restricted documents. It was cheaper than using control software (trusted computing platforms and certification is wicked expensive).

    --
    [RIAA] says its concern is artists. That's true, in just the sense that a cattle rancher is concerned about its cattle.
  8. Re:They've got their priorities wrong by xxxJonBoyxxx · · Score: 4, Informative

    You can already block IE using an outbound HTTP proxy server which can screen out requests based on the Agent tag. You can also block execution of IE using NTFS permissions. You can also set other browsers to be the default browser on a particular desktop. So...what's the problem?

  9. Very Necessary by SrJsignal · · Score: 5, Informative

    I see a lot of comments talking about "anal sysadmins" and such. In a commercial environment that may be true. But there's an area where it is even MORE important to be able to lock these devices out: The government / sensitive info computers of the world. Think about all of the work that goes on in these places and the number of computers, many of which are on Solaris and Windows (some Linux is approved, but not much) They have to implement these features to keep national-security type information from walking out on someones keychain. (course those items cannot be in secured areas anyway, but I digress).

  10. Whatever by temojen · · Score: 5, Informative

    Linux has had this since 1991.

    Seriously, it's called fstab.

    It's also a handy way of keeping confidential information from leaking.

    1. Re:Whatever by superpulpsicle · · Score: 4, Informative

      That's at the filesystem level. I think they mean at the device driver level.

    2. Re:Whatever by temojen · · Score: 5, Informative

      Does it matter?

      If it really matters to you that the drivers not be present, you can also turn off module autoloading and not put the USB mass storage drivers in your modules.conf

  11. Re:They've got their priorities wrong by robslimo · · Score: 2, Informative

    There's an option in (I believe in the [Components] section of) the winnt.sif/syspref.inf files to remove all "visible entry points" to Internet Explorer. Not quite the same as removing it, but goes a long way to steering end users to another browser if that's what an admin wishes.

  12. Uhh this is already possible by nurb432 · · Score: 2, Informative

    With proper management of GPO policy you can disable such external beasts today..

    You can even disable things such as floppy drives...

    Could even do that with NT 4...

    --
    ---- Booth was a patriot ----
  13. This isn't new by OrangeTide · · Score: 2, Informative

    There have been third party products that allowed you to lock out external media (cd-rom, floppy, etc) for quite some time. Unless you were logged in as domain administrator of course. Also you need a password to boot from a floppy and flash the BIOS on most secured networks.

    The idea that an IT admin is given tools necessary to prevent outside data from getting into the network and to prevent data from getting out of the network is neither new nor is it a bad idea.

    Of course one can still just zip up a bunch of secret document and mail them to an anonymous account like gmail. That does leave a pretty nasty paper trail though.

    --
    “Common sense is not so common.” — Voltaire
  14. Re:mount: only root can do that by Minwee · · Score: 4, Informative

    You may want to read the formatted man-page for fstab some time.

    I think that you may find the "user" and "noauto" options interesting.

  15. Reporter should check his facts by cypher_6502 · · Score: 2, Informative

    Microsoft already has documentation on disabling USB, and you do not need to wait for SP2 to implement this. http://support.microsoft.com/default.aspx?scid=kb; en-us;823732 As for the quote, "IT managers do have access to tools that would allow them to block USB ports, but such tools are little-known, and little-used. "There are tools that are available to...manage USB ports, but 99.9 percent of all machines in corporations don't have anything like that," Brill said." I guess Mr. Brill is not aware of the obscure concept of Microsoft Group Policies, file permissions and google.

  16. they have been able to do that. by DaEMoN128 · · Score: 2, Informative

    There is a setting in the local security policy that stops people from adding hardware.... This includes usb drives and ipods. Been there for a long time too Win2K without the SP's and later. I find it hard to believe that MS would put that into Local Security Policy and not have it at the Domain Security Policy. I dont feel the need to upgrade my system to a domain controller to verify that though.

    --
    Stop signs are only Suggestions
  17. Re:This is a good thing for IT managers by Patoski · · Score: 2, Informative

    So from my mind, this is a Good Thing, and I'd like to see it on my OS X/Linux machines as well.

    This is easy for Linux (and I assume something similar would need to be done on OSX since it is unix based). Linux has been able to do this for many many years. :-)

    Edit /etc/fstab

    Put this in your etc fstab and it ought to do the trick:
    dev/sda1 /mnt/media/usb-storage vfat ro,noexec,noauto,users 0 0

    All users can mount and read the usb drive (ipods etc) but not write to it, nor can they execute anything from the drive. Of course you'd want to create this entry a number of times in case the user plugs in more than one usb drive. ;) Also there might be more types of usb drives than sda1 [not 100% sure] but you get the gist.

    If you're particularly paranoid make all /dev/sda* devices mount to dev/null and no one can read their usb drives.

    --
    G. Washington on Government "it is force. Like fire, it is a dangerous servant and a fearful master."
  18. Re:What about banning booting Knoppix CD? by John_Booty · · Score: 3, Informative

    Can Windows also prevent me from booting a Knoppix CD to copy files to my USB device?

    Not sure if you're joking or not, but that would be a BIOS setting, not an OS setting... of course, you'd think that a "secure" workstation probably wouldn't even include a CDROM drive for most users since software would be installed by an admin over the network...

    --

    OtakuBooty.com: Smart, funny, sexy nerds.
  19. Re:They've got their priorities wrong by TechniMyoko · · Score: 2, Informative

    The exe is not actually internet explorer. IE is a usercontrol stored within a dll file. This allows other programs to insert IE as a control, and use it like a command button. To block IE, youd have to block the dll not the exe which uses it

  20. Re:this isn't an offence to us but a feature by Wolface · · Score: 2, Informative

    and in Linux nothing stops you from doing something even smarter. Make the portable storage read-only so people can listen to their mp3's if they so desire but cannot copy sensitive information to their devices.

    I believe the /etc/fstab entry would be something like this : /dev/sda1 /mnt/usb1 auto noauto,user,ro 0 0

    you forgot the 'noexec' to protect from binaries: /dev/sda1 /mnt/usb1 auto noauto,user, noexec ro 0 0

  21. Re:mount: only root can do that by damiam · · Score: 2, Informative
    You can't. You need someone with root access to edit it for you. If you could edit it yourself, you'd be able to circumvent whatever restrictions the root user imposed.

    So what was your point?

    --
    It's hard to be religious when certain people are never incinerated by bolts of lightning.
  22. Re:This is a good thing for IT managers by DunbarTheInept · · Score: 2, Informative

    Hey, why doesn't my keyboard and mouse work anymore? Oh, yeah, I disabled the USB drivers...

    USB isn't just for storage devices. Disabling the usbcore disables more than you want. You need to disable the usb storage module.

    --

    Don't label something "offtopic" unless you know the topic well enough to tell what's on topic.

  23. Apple was there first by soulflakes · · Score: 1, Informative

    OS X Server + LDAP + Workgroup Manager + OS X Clients = been there, done that.

    I can lock users out using any optical drive or any external drive. Per user account, not machine.

    Some users can burn CDs, others can't. In the drag and drop install world of OS X this makes a lot of sense. Machines I administer belong to the enterprise not the user, the company owns them and dictates how they are used. End of story.

  24. Re:...compared to homes by Eravau · · Score: 2, Informative

    I believe most people consider their door a barrier. It's often one of the strongest, sturdiest parts of their home.

    Does it make the house impenetrable? Of course not. I think my post showed that pretty well. But it makes it that much harder to get in the house.

    The same goes for disabling USB storage. It doesn't make the computer impenetrable, but it makes it a little bit harder to cause havoc. You'll never be able to plug every hole. Too many are discovered all the time that we never knew were there all along. Just because you can't plug every hole doesn't mean you should do nothing at all.

    A smart admin knows his defenses and his holes. If he is smart, he uses all available tools to make the job of the "bad guy" (or stupid guy) that much harder. Some of those tools will stop certain attacks cold...some will just make them more difficult and time consuming...giving you more possibility to discover them before any damage is done. Any determined "bad guy" can find a way around your defenses...but there's no reason to make it fast and easy for him.

  25. Re:What about banning booting Knoppix CD? by kalidasa · · Score: 2, Informative

    Yes, read access. I use it plenty. But the disabling features should be in the BIOS, not the OS.

  26. Re:What about banning booting Knoppix CD? by ReelOddeeo · · Score: 3, Informative

    If you're going to open the computer's case, it is easier to remove the HD and use a jury-rigged "external usb enclosure" canabalized guts to connect it to your laptop, then steal the data onto your laptop.

    --

    Those who would give up liberty in exchange for security and DRM should switch to Microsoft Palladium!
  27. at least 8 UNDETECTABLE ways to beat this by nusratt · · Score: 2, Informative

    If *I* really wanted to steal something, the only way you could stop me is to disable access to ***ALL*** i/o --
    including sealing the serial / parallel /audio ports,
    AND hard-wiring the mouse, keyboard, ethernet, and monitor connections -- at BOTH ends.

    Leave ANY of those open, and I'll be able to write to magnetic media,
    UNDETECTABLY to anyone who isn't standing next to me at the moment when I'm connecting my evil capture device.

    And even after you do all that, I can STILL transmit data -- encoded (e.g., barcode) in high frame-rate video -- from one tiny innocent-looking window, to a button-hole video lens in my shirt.

    Then there's EM emissions recording.

    IOW, if you don't strip-search me, your data is "gone in 60 seconds".

  28. Re:They've got their priorities wrong by Chester+K · · Score: 2, Informative

    You can block IE using Group Policy.

    --

    NO CARRIER